Estonia Cyber Attack, April-May 2007
The Estonia Cyber Attack of April-May 2007 marked a significant instance of cyberwarfare, targeting key institutions such as the national parliament, major banks, and media outlets. These attacks, primarily executed as distributed denial of service (DDoS) assaults, involved overwhelming the targeted systems with an excessive volume of requests, causing them to crash and disrupt services. The attacks coincided with a politically charged event: the Estonian government's decision to relocate a statue commemorating Soviet troops, which ignited public protests and highlighted underlying ethnic tensions between Estonians and the Russian-speaking population.
Over the course of several weeks, Estonia experienced repeated waves of cyber assaults, particularly intense on May 9 and 10, coinciding with Russia’s Victory Day celebrations. While the origins of the attacks were challenging to trace, there were suspicions of involvement from Russian entities, although the Russian government denied any connection. This incident drew international attention as an example of economic warfare in the digital age, underscoring the potential for cyber attacks to impact national security and economic stability. In response, Estonia, supported by NATO experts, implemented defensive measures to mitigate the effects of the ongoing attacks, highlighting the need for enhanced cybersecurity protocols in the face of emerging threats.
On this Page
Subject Terms
Estonia Cyber Attack, April-May 2007
Summary: Starting at the end of April and continuing into May 2007 several institutions in Estonia, including the nation's parliament, largest bank, and newspapers were the target of attacks described as a "cyberwarfare." Such a conflict comprises bombarding computers linked to the Internet with "requests for service"--in the form of messages, efforts to log in, or simply logging on (as to a newspaper site)--many times greater than normal. The sudden burst in volume of requests causes computers to crash, which is what happened in Estonia. Because the bursts of requests, known as a "distributed denial of service" attack, coincided with a political controversy over the government's decision to relocate a statue commemorating the Russian army's expulsion of German troops at the end of World War II, the computer attacks were widely viewed by NATO officials as an example of "cyberwar," an organized attempt to bring an entire country's computer network to its knees.
For about a month, from late April through May 2007, computers in Estonia linked to the Internet were the targets of an intense attack evidently designed to bring the computers down and in the process wreak havoc on the Estonian economy. Experts in the topic of "cyberwar" and "cyberterrorism" from several countries, including the United States, point to the events in Estonia as a prototype of a new form of economic warfare in the 21st century.
The vocabulary of cyberwarfare. Common terms describing aspects of cyberattacks include:
- Bots and Botnets. A group of computers on the same network (mostly the Internet) all of which have software designed to carry out an attack against targeted computer systems; in effect, robotic foot soldiers in a distributed denial of service attack.
- Distributed Denial of Service (DDOS). The large-scale simultaneous requests(or "demands") for service--possibly numbering in the hundreds of thousands at the same time--from many different computers and aimed at target computers so they will crash from the overload. Such requests can comprise nothing more than trying to sign onto a computer on the network, or sending a large number of fake email messages to a group of recipients (e.g. members of parliament) at the same time, causing the email computer server to crash.
- Zombies. The computers enlisted as soldiers in a botnet attack that are infected with software designed to carry out an attack without the knowledge or active participation of the computers' owners.
- Virus. A software program meant to be embedded in target computers with a view towards future damage. Viruses can be hidden inside other legitimate data, such as email messages or Web sites.
- Malware. Abbreviation for "malicious software," or programs designed for purposes of disruption or vandalism.
- Worms. A malicious program that causes itself to replicate on other computers on a network. Worms are used to create "botnets" by infecting many computers without the knowledge of their owners so that, for example, a DDOS attack can be launched at a specified time.
- Trojan horses (or just "trojans"). Computer code embedded in another, seemingly legitimate program, and designed so that the author/distributor is able to control the infected computer remotely without the knowledge or consent of the owner. Trojan horses are commonly used to launch DDOS attacks.
- IRC. Internet relay chat, a form of messaging that facilitates the simultaneous "chatting" among members connected to the same network (e.g. the Internet). IRC is a favored tool for distributing "malware."
The basic "weapon" in the "cyberwar" waged against Estonia was the "distributed denial of service" (DDOS) attack. Such an attack involves bombarding target computers, such as those operated by banks and available to consumers via Internet connections, with tens of millions of simultaneous requests for "service," such as a query about an account balance or other information available on the computer. When the level of requests exceeds normal expectations by many times over, the target computers cannot cope and crash, thus denying "service" to legitimate users.
DDOS attacks often involve "botnets" (as in robotic networks) and "zombies." Those orchestrating the attack implant, usually surreptitiously but sometimes in the open, microprograms that instruct unsuspecting computers on the Internet to begin asking the target computer(s) for "service" at a given time. This malicious software ("malware") can be spread to large numbers of computers--numbering in the hundreds of thousands, including individual person computers connected to the Internet on a more or less continuous basis--thereby creating a large network of "zombie" computers located around the world.
Computer experts who analyzed the cyberattack in Estonia in late April and May 2007 believe such a botnet was responsible for attacks that brought down large numbers of computers in Estonia, which is among the countries with the largest networks used for such commonplace activities as paying for parking on the street, retail sales, and communications ranging from email between members of parliament to Internet "chat" sessions. While DDOS attacks are not uncommon, the instance in Estonia in 2007 was different in its scale, insofar as the attacks lasted for many hours at a time and were repeated day after day. Several of the country's banks, for example, were unable to transfer funds (both between accounts and to ATMs) or service retail terminals.
The attack on Estonia was not a single, sustained burst, but rather a series of attacks that occurred over several weeks. Two of the most intense days were May 9, 2007--which coincided with Victory Day, a Russian holiday marking the Soviet defeat of Nazi Germany--and May 10, 2007, when Estonia's largest bank had to shut down its online services for an hour in the face of a DDOS assault. According to an analysis of the May 10 attack, organizers had rented time on servers in order to launch the onslaught; when their time expired, so did the intensity of the DDOS. Computers in Estonia targeted with DDOS attacks included the Web sites of the Estonian president, prime minister, parliament, plus several government agencies, as well as several daily newspapers and Estonia's largest bank.
The last major wave of DDOS assaults occurred on May 18, 2007, although attacks at a lower level continued through the end of the month.
One reason the Estonian experience became the subject of intense interest by government officials from the United States, among other countries, was its presumed political background. Estonian authorities had decided to move a memorial statue commemorating the rule of the Red Army in expelling German troops from Estonia during World War II from a prominent park in the capital, Tallinn. The move of the statue sparked two nights of rioting in late April in the capital, Tallinn, as well as a protest at the Estonian embassy in Moscow. The protests underscored underlying tensions between Estonia's community of ethnic Russians, comprising about one fourth of the population, and ethnic Estonians. The tensions reflected a long history of conflict over the status of Estonia which was for centuries traded between shifting empires in Europe, including the Russian empire. Estonia fell under Soviet occupation in 1940, part of the Hitler-Stalin pact, and was later occupied by Nazi Germany from 1941 until 1944, when the Red Army drove out the German army. Several thousand Estonian guerrillas subsequently resisted the reincorporation of Estonia into the USSR. It was in light of this history that removal of the memorial to Soviet troops was viewed by ethnic Russians--and possibly by the government of Russia--as a hostile act.
In advance of the cyberattacks, detailed instructions were posted anonymously, but in the Russian language, on several Web sites telling how to participate in a DDOS siege and which computers inside Estonia to target. During the course of the attacks, Estonia's defense minister said that "at the present time, we are not able to prove direct state links. All we can say is that a server in our president's office got a query from an I.P. [Internet protocol] address in the Russian administration." The foreign ministry also circulated a list of Internet addresses that participated in the attacks, including some inside the Russian government. The Russian government formally denied having any role in the DDOS attacks. (Requests that seemed to comprise the DDOS were also traced to many other countries.) Part of the nature of cyber attacks is that their origins are difficult if not impossible to trace, especially since botnets can be constructed to include computers from around the globe. In the case of the Estonia attacks, for example, computers in Vietnam and the United States were among those found to be participating in the DDOS attacks, presumably unconsciously.
No quid pro quo, such as payment of funds, was ever demanded as a condition of halting the cyberattacks.
Defense and prevention. The first layer of defense in a DDOS attack is to block traffic from suspected computers--technically, from suspected Internet addresses. In the case of the attack on Estonia, this meant addresses based outside the country from countries ranging from Peru to China to the United States. This isolation began on the first day of DDOS attacks that had shut down servers for Estonia's parliament--among other things, depriving legislators of email--and a hacker's penetration of the Reform Party's Web site.
The DDOS attacks in Estonia were quickly the subject of investigation by cyberwarfare experts from several countries, including the United States and Israel, partly because of the presumed background suggested that the Estonian experience could be a precursor of future cyberwars. The headquarters of NATO dispatched experts to Tallinn to advise the Estonian government.
In general, a defense against a DDOS attack relies on blocking messages from designated Internet addresses or, as in the case of Estonia, shutting down large parts of the national network to access from outside the country. One side effect of doing so was to deprive Estonians traveling outside the country from access to email stored on domestic servers, or to their bank accounts.
Bibliography
Granville, Johanna. "Tracking Computer Hacking: The Dangers of Cyber Terrorism." Global Society: Journal of Interdisciplinary International Relations." 17:1 (January 2003) 9p. http://search.ebscohost.com/login.aspx?direct=true&db=tsh&AN=9336608&site=isc-live
Stytz, Martin R. "Cyber-warfare Distributed Training." Military Technology. 30:11 (2006). 5p. http://search.ebscohost.com/login.aspx?direct=true&db=tsh&AN=23484048&site=isc-live
Wilson, Clay. "Information Warfare and Cyberwar: Capabilities and Related Policy Issues: RL31787." Congressional Research Service: Report. July 19, 2004. 21p. http://search.ebscohost.com/login.aspx?direct=true&db=tsh&AN=18301083&site=isc-live